目录 |
---|
自从上次服务器中勒索病毒后一直对confluence耿耿于怀。
所有的安全防护都做得很好,但却中了勒索病毒,怎么都想不通,唯一可能的解释就是confluence有漏洞,查看了相关的资料,也说 Confluence 存在权限绕过漏洞 (CVE-2023-22518)。
停服了一段时间后,趁着五一更新到最新版。
1、下载软件
1.1 下载 atlassian confluence 8.9.4
https://www.atlassian.com/software/confluence/download-archives
安装指导:
https://confluence.atlassian.com/doc/confluence-installation-and-upgrade-guide-214864161.html
系统要求:
https://confluence.atlassian.com/doc/supported-platforms-207488198.html
1.2 下载 TencentKona 11
https://cloud.tencent.com/document/product/1149/38537
1.3 下载 MySQL 8.0
https://dev.mysql.com/downloads/repo/yum/
1.4 下载 MySQL 连接驱动
https://dev.mysql.com/downloads/connector/j/
2、安装Java
需要注意的是:Confluence 8.9 不支持TencentKona 17,在输入激活码的时候会提示:该激活码无效,是Java版本的问题。
解压到/opt目录
代码块 |
---|
tar -zxvf TencentKona-11.0.14.b1-jdk_linux-x86_64.tar.gz -C /opt |
加到配置文件
代码块 |
---|
vim /etc/profile
export JAVA_HOME=/opt/TencentKona-11.0.14.b1
export PATH=${JAVA_HOME}/bin:$PATH
export CLASSPATH=.:${JAVA_HOME}/lib |
重新加载配置文件
代码块 |
---|
source /etc/profile |
查看Java版本
代码块 |
---|
java -version |
3、安装MySQL
代码块 |
---|
yum localinstall mysql84-community-release-el8-1.noarch.rpm |
检查数据源
代码块 |
---|
yum repolist enabled | grep "mysql.*-community.*" |
禁用CentOS 8自带MySQL模块
代码块 |
---|
yum module disable mysql |
安装MySQL ,注意需要添加--nogpgcheck
代码块 |
---|
yum install mysql-community-server --nogpgcheck |
设置开机启动,启动MySQL,查看服务
代码块 |
---|
systemctl enable mysqld
systemctl start mysqld
systemctl status mysqld |
查看生成的临时密码
代码块 |
---|
grep 'temporary password' /var/log/mysqld.log |
修改root密码
代码块 |
---|
ALTER USER 'root'@'localhost' IDENTIFIED BY '<password>'; |
修改数据库配置文件
代码块 |
---|
vim /etc/my.cnf |
官方的对数据库的要求:https://confluence.atlassian.com/doc/database-setup-for-mysql-128747.html
代码块 |
---|
# Confluence Configure
character-set-server=utf8mb4
collation-server=utf8mb4_bin
default-storage-engine=INNODB
max_allowed_packet=256M
innodb_log_file_size=2GB
transaction-isolation=READ-COMMITTED
binlog_format=row
log_bin_trust_function_creators = 1 |
log_bin_trust_function_creators = 1 一定要加,不然后来连接数据库会报错
重启 MySQL 服务,使配置生效
代码块 |
---|
systemctl restart mysqld |
创建用户和数据库
代码块 |
---|
CREATE USER 'confluenceuser'@'%' IDENTIFIED BY '<password>';
CREATE DATABASE confluence CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;
GRANT ALL PRIVILEGES ON confluence.* TO 'confluenceuser'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
\q |
WITH GRANT OPTION的作用可以参考这里:https://blog.csdn.net/chenghuikai/article/details/52219491
4.安装 Confluence
4.1 创建所需目录
代码块 |
---|
mkdir -pv /data/{confluence,confluence-home} |
解压数据到confluence目录
代码块 |
---|
tar xvf atlassian-confluence-8.9.4 tar.gz -C /data/confluence/ |
配置confluence-home
代码块 |
---|
vim /data/confluence/atlassian-confluence-8.9.4/confluence/WEB-INF/classes/confluence-init.properties |
增加下面配置
代码块 |
---|
confluence.home=/data/confluence-home |
4.2 激活工具 agent.jar
将下载好的jar包上传到 /opt/目录
代码块 |
---|
/opt/agent.jar |
4.3 MySQL驱动
在启动之前,先把MySQL驱动拷贝到安装目录,避免后面还需要再重启一次
代码块 |
---|
tar -zxvf mysql-connector-j-8.4.0.tar.gz
cd mysql-connector-j-8.4.0/
mv mysql-connector-j-8.4.0.jar /data/confluence/atlassian-confluence-8.9.4/confluence/WEB-INF/lib/ |
4.4 启动 Confluence
代码块 |
---|
JAVA_OPTS="-javaagent:/opt/agent.jar" /data/confluence/atlassian-confluence-8.9.4/bin/start-confluence.sh |
查看启动是否成功
代码块 |
---|
netstat -tunlp | grep 8090 |
代码块 |
---|
ps aux|grep javaagent |
代码块 |
---|
ps aux | grep confluence |
atlassian-agent 自启动设置
代码块 |
---|
vim /data/confluence/atlassian-confluence-8.9.4/bin/setenv.sh
export JAVA_OPTS="-javaagent:/opt/agent.jar ${JAVA_OPTS}" |
浏览器打开http://ip:8090,开始配置confluence
生成许可证秘钥
代码块 |
---|
java -jar /opt/agent.jar -d -m xxx@qq.com -n liangfu.wang -p conf -o liangfu.wang -s B2D2-GEK1-SIFY-FL7X |
代码块 |
---|
此处参数分别为:
-d:是否需要 Data Center 许可证
-m:许可证颁发给的邮箱
-n:许可证名称,默认为许可证颁发给的邮箱
-o:许可证颁发给的组织名
-p:产品名称,Confluence 需要填写 conf
- 支持的参数 - crowd: Crowd
- jsm: JIRA Service Management
- questions: Questions plugin for Confluence
- crucible: Crucible - capture: Capture plugin for JIRA
- conf: Confluence - training: Training plugin for JIRA
- *: 第三方插件密钥,一般类似于:com.foo.bar
- bitbucket: Bitbucket
- tc: Team Calendars plugin for Confluence
- bamboo: Bamboo
- fisheye: FishEye
- portfolio: Portfolio plugin for JIRA
- jc: JIRA Core
- jsd: JIRA Service Desk
- jira: JIRA Software(common jira)
-s:服务器 ID,在 Confluence 配置页面上找到 |
需要注意的是:Confluence 从8.6开始只支持 Data Center 许可证,所以激活码生成的命令需要加-d
5.其他
5.1 从备份还原
如果导出文件很大,则需要从主目录导入。 将文件复制到/data/confluence-home/restore,然后从下方将其导入。
代码块 |
---|
cp /data/backups/backup-2023_11_03.zip /data/confluence-home/restore |
5.2 自定义备份路径
代码块 |
---|
vim /data/confluence-home/confluence.cfg.xml |
代码块 |
---|
<property name="admin.ui.allow.daily.backup.custom.location">true</property> |
重启confluence
代码块 |
---|
sh /data/confluence/atlassian-confluence-8.9.4/bin/stop-confluence.sh
sh /data/confluence/atlassian-confluence-8.9.4/bin/start-confluence.sh |
5.3 定时任务
Confluence 配置cron表达式:
代码块 |
---|
0 0 3 1,3,6,9,12,15,18,21,24,27,29 * ? |
在线Cron表达式生成器:https://cron.qqe2.com/
linux机器上配置crontab定时任务
代码块 |
---|
0 5 * * * /bin/sh /opt/cos_migrate_tool_v5-1.4.12/start_migrate.sh |
5.4 PDF导出语言支持
代码块 |
---|
msyh.ttc |
5.5 配置Nginx反向代理
(1)安装NGINX
安装 Nginx
代码块 |
---|
yum install -y nginx |
启动 Nginx
代码块 |
---|
systemctl start nginx.service |
设置开机自启 Nginx
代码块 |
---|
systemctl enable nginx.service |
(2)配置
修改 /etc/nginx/nginx.conf 文件
代码块 |
---|
vim /etc/nginx/nginx.conf |
代码块 |
---|
#user nobody;
worker_processes 10;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
underscores_in_headers on;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
} |
创建 /etc/nginx/conf.d/wiki.conf 文件
代码块 |
---|
vim /etc/nginx/conf.d/wiki.conf |
代码块 |
---|
server {
listen 80;
server_name liangfu.wang;
return 301 https://liangfu.wang$request_uri;
}
server {
listen 443 ssl;
server_name liangfu.wang;
ssl_certificate /data/liangfu.wang_bundle.crt;
ssl_certificate_key /data/liangfu.wang.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
location / {
client_max_body_size 100m;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090;
}
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8090/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
} |
重启 Nginx
代码块 |
---|
nginx -c /etc/nginx/nginx.conf |
检查进程
代码块 |
---|
# ps -ef | grep nginx
root 20218 1 0 01:28 ? 00:00:00 nginx: master process nginx -c /etc/nginx/nginx.conf
nginx 20219 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20220 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20221 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20222 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20223 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20224 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20225 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20226 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20227 20218 0 01:28 ? 00:00:00 nginx: worker process
nginx 20228 20218 0 01:28 ? 00:00:00 nginx: worker process
root 22886 20001 0 01:36 pts/0 00:00:00 grep --color=auto nginx |
5.6 配置Tomcat连接器,改成https协议
编辑 /data/confluence/atlassian-confluence-8.9.4/conf/server.xml
代码块 |
---|
vim /data/confluence/atlassian-confluence-8.9.4/conf/server.xml |
添加https配置
代码块 |
---|
scheme="https" secure="true" proxyName="liangfu.wang" proxyPort="443" |
效果如下:
5.7 JVM内存优化
默认安装时JVM内存设置为1024M,当同时访问用户数较多时,服务卡死,日志报JVM OutOfMemoryError
代码块 |
---|
vim /data/confluence/atlassian-confluence-8.9.4/bin/setenv.sh |
代码块 |
---|
# Set the Java heap size
CATALINA_OPTS="-Xms2048m -Xmx2048m ${CATALINA_OPTS}" |
说明:
-Xms:Java Heap最大值,默认值为物理内存的1/4,最佳设值应该视物理内存大小及计算机内其他内存开销而定
-Xmx:Java Heap初始值,Server端JVM最好将-Xms和-Xmx设为相同值,开发测试机JVM可以保留默认值
重启confluence
代码块 |
---|
sh /data/confluence/atlassian-confluence-8.9.4/bin/stop-confluence.sh
sh /data/confluence/atlassian-confluence-8.9.4/bin/start-confluence.sh |
检查confluence进程
代码块 |
---|
ps -ef | grep confluence |
检查端口
代码块 |
---|
# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::8090 :::* LISTEN 54786/java
tcp6 0 0 :::8091 :::* LISTEN 55500/java |
5.8 修改备案信息
代码块 |
---|
vim /data/confluence/atlassian-confluence-8.9.4/confluence/decorators/includes/footer-content.vm |
5.9 修改访问URL
登录confluence 管理页面,修改默认的URL地址为https://liangfu.wang
参考链接:
https://mp.weixin.qq.com/s/qcHe781i-sqkdgRC6FECtg
https://mp.weixin.qq.com/s/UuL8wndzhpH0HiaJIFlgzQ?poc_token=HG6kN2ajWxmYXv5LYR3We9pyaINyde6anQNTahOi
https://doc.devpod.cn/conf/confluence-cve-2023-22518-67502083.html
...